Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

 1title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
 2id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
 3related:
 4    - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
 5      type: similar
 6status: test
 7description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
 8references:
 9    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
10    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
11    - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
12author: pH-T (Nextron Systems)
13date: 2022-03-01
14modified: 2023-04-06
15tags:
16    - attack.execution
17    - attack.defense-evasion
18    - attack.t1059.001
19    - attack.t1027
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        CommandLine|contains:
26            # ::("L"+"oad")
27            - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
28            - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
29            - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
30            # ::("Lo"+"ad")
31            - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
32            - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
33            - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
34            # ::("Loa"+"d")
35            - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
36            - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
37            - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
38            # ::('L'+'oad')
39            - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
40            - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
41            - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
42            # ::('Lo'+'ad')
43            - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
44            - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
45            - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
46            # ::('Loa'+'d')
47            - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
48            - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
49            - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
50    condition: selection
51fields:
52    - CommandLine
53falsepositives:
54    - Unlikely
55level: high

References

• Raccine/yara/mal_revil.yar at 20a569fa21625086433dcce8bb2765d0ea08dcb6 · Neo23x0/Raccine

  

  A Simple Ransomware Vaccine. Contribute to Neo23x0/Raccine development by creating an account on GitHub.

  
  Read More

• SEO Poisoning – A Gootloader Story

  

  In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…

  
  Read More

• AppDomain.Load Method (System)

  

  Loads an Assembly into this application domain.

  
  Read More

Related rules

• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• Invoke-Obfuscation CLIP+ Launcher
• Invoke-Obfuscation CLIP+ Launcher - PowerShell
• Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
• Invoke-Obfuscation CLIP+ Launcher - Security